 Testink, testink, toukaj, slyšíš mi? Jo, jo, testink. Ready? Jo. Now days. Super, dík. Budu na YouTube, si se koukáv. Ale je tam jen zvuk a prezentace. Na některých je toho víc, ale tady jenem. Přijdeš náhrad dělat toho nabíte, já jsem. Prostě připravo do meho kompa. To nědostou v zatebě. Welcome everyone. Preži o tenšin. Hier are some free posters. So if you want, you can grab one. Please, when you come during the presentation, please close the door as quietly as possible. When you want elevate decisions, you can visit this link. a můžeme příjti, když se zvukáváme konferenc a vytvoříte blog post. A tady, můžeme příjti, můžeme příjti mým prezentám Miro Slavgreplu s SE Linux v návnice. V návnice říkajte. Můžete mít? Tak, můžete mít. Vypůjte v návnice. Je to větší, že jste zvukat, že je to zvukat. Je to zvukat, že je se zvukat. Mám slyšený Miroslav Gruplo, jen složený v SNUX fojers, semen years a nevěděle. A do laty jsme představili vyjelé následné úvědné úplny na celý SNUX-touk z upstreamu v Fedora 23. a vytvoříme na první výstřet. Na srdském výstřetu s tím, který se počeká výstřet, a na rádném. A náví se výstřete, co se vyskávat, když jde do výstřetů, které se vyskávat, co si linnukové dělává? A příklad se závodovat, závodovat, co se závodovat, co jsme dělává, co si dělává. A závodovat a dělávat. Jsme dělává? A závodovat. The first big improvements. We introduced big performance gains. Do you remember, if you recently, if you previously tried to install the policy, or if you tried to disable or enable a policy for a service, for example for the docker, it took your time, it took my time, you were waiting and waiting and waiting. Is there Lukáš? Lukáš, do you remember? Yeah, I do, yeah, me too, yeah. So you had approximately 15 seconds for these guys, for these words. And I don't, to be honest, I don't know how to spell it. I am not Bostonian. I like this guy who is traveling for Super Bowl right now. And also I really like this picture, but sorry man, sorry then, but I like this picture much more. You can see, if you previously installed the policy, it took 20 seconds. If the currently, if right now, you try to install the policy, it takes five, six seconds. And the same. I am then Vosch, and I wanted previously try to disable docker policy. So it took 20 seconds. But currently, right now, it takes five seconds. And the same if you wanted to back to enable the policy. Do you like it? I like it, I really, it's really huge. So we introduced 75% speed up of tools that perform a Selinux policy management. It's huge, really huge. Is it true? Thanks, thanks, thanks, come on. Thanks. Of course. To be all. Yeah, yeah. Thank you. And thank you for, it's the last day. So thank you for your questions. If you can trust me. Thank you, really thanks. No, it's a roll height. So, sandbox in system. Okay, so counting counting. Hopefully you can trust me. It's, it's here. Do you trust me? Okay, thanks. Okay, so the second, the second big improvement. We introduce a new way. A new really easy way how to shift your own policy, your own version policy for your service, for your product, and so on. So, let's go again with Docker. I am Dan Walsh. I deployed the Docker policy. I installed the policy and right now what happened? I failed. I failed. There was the following error. There was a duplicate error. There was a conflict. Why? Do you know? Okay, these guys know. Because the Docker policy was also shipped by the distribution policy. But with the new Sinox tooling, no more errors. No more fails. You don't care about the distribution. You care about the distribution policy. And we make Dan Walsh happy. So, to be happy. So, there is an example. If the current, if the currently install the Docker, you will see something like this. You can see there is a Docker policy shipped by the distribution policy. So it's a Docker distribution policy. It has 100 priority. And in the same time, you will see, you can see Docker policy, my own Docker policy, which has 400 priority. And surprisingly, maybe not, higher priority wins. So, my own Docker policy is used in the distribution. And overrides the distribution policy. Yes? It can be different. Right now, 100 priority is a default priority for distribution modules. You can change it. You can have 200 priority. It can be changed. So, and we, and Dan, is, we are happy with that solution. So, we have a ability to assign priorities to modules. So, the first big improvement. With the new SNUX tooling, we introduce new common intermediate language called SEAL. That is, I have a story for this topic. Sometimes ago, we needed to create a local policy for SNUX toolbox tool to make this tool working, because there were some kernel changes, let's say, no, no, no, the issues, no, the bugs, but changes. So, I created mySENBOX.t file. Here you can see the example. It's written in M4 macro language. And right now, the fun started. I needed, I needed to compile this file to create mySENBOX.pp file. It's a, it's a compiled policy module. We call it as a high-level language, high-level language, high-level language, which is not readable. There is no easy way, because it's compiled. There is no easy way how to read it. And after that, we needed to recompile this compiled module to create binary policy. And this binary policy was loaded to the kernel. So kernel could enforce this policy. So it's really complicated. And right now, right now, you know why it took 20 seconds. Yeah, it's too many steps. Do you like it? Me too, yeah. Even more, I don't know how to write these rules. So there is a picture for these steps. You can see we have source files. We compile them to .pp through intermediate files. And after that, this compiled policy module we recompile to binary policy. And this binary policy is loaded to the kernel. So I don't like it. With SEAL, it's much more easier. It's like a dream for me. So I can just write. I create my sandbox.seal file. I can just write one line, one line, no compiling. And just I load it using SEAL module tool. So it's really awesome. It's amazing for me, probably for you. And more. This is intermediate language. And this language is human readable for me, probably for you. It will be better. But it's much more better than M4 language in the previous example. So we have readable intermediate policy language. And we have ability, we have a potential for a new high-level language. For a new high-level language, which is readable against .pp, which is not readable. I have an example for you. There is a high-level language called LOL policy from Joshua Brindle. And there is an example of the policy. I am a log watch, and I want to read web server logs. It's human readable. Do you understand it? It's much more better. There is a big opportunity for a new high-level language. I like it. It's like a dream. We can write a new high-level language, for example, in JavaScript or something like that. So it's here. It's important. It's here. It's Fedora 23. So feel free to test it. Feel free to run a C module, dash B and test it. So the question is who is behind these changes at the Red Hat. So me, currently working on a stimulate and policy stuff like that, I will mention some guys, please, guys, put your hands up if you are here. Paul, working on Kernel, this guy. Petr, working on mainly user space. Here he is. Yeah, thank you. I would say a new policy guy, my replacement. Lukáš is, ah, nice. All settings team is here. Weed is our intern. We currently is working on policy analyze tool. I will talk about it later in this presentation. Miloš is our QE guy at the Red Hat. Miloš, thank you for your talk about SNU's troubleshooting. It was really great. OK, so it was SNU's team at the Red Hat. Nice faces, right? It's binding, yeah. Thank you. OK, so right now you will get, hopefully, your answers. What SNU's can do for me? What SNU's can do for you? SNU protects your system for consequences of exploited applications, of exploited your favorite applications. Give me some examples. What is your favorite apps? SSD system, the stuff like that. And maybe, you know, there was a security issue in SNU. This one, when under certain conditions, you were able to access any file on your system. So for example, you were able to access Etsy shadow file. And what is the question? The question is, was your, was my system protected? This system wasn't protected. Definitely wasn't. You can see, we were able to access Etsy shadow file. So we were able to see our secrets as a consequence of the pseudo exploit. Fortunately, my system, and probably also your systems, my system was protected before that attack. And why? Because I have SC Linux turned on. And I have SC Linux in enforcing mode. It's correct? It's true? Let's check. Ah, it's true. You can see. In enforcing mode. So as a result, pseudo process was successfully isolated by SC Linux. So what next? SC Linux protects your virtual machines. Again, there was a security issue called Venom. Do you know about it? You mentioned it. Joshua also mentioned it yesterday. Josh mentioned it yesterday. And the question, again, the same questions, is my system protected? Are my virtual machines protected before that exploit? With SC Linux, yes. If you have SC Linux with libvert, you get your virtual machines isolated by SC Linux using categories. So each virtual machine has its own category, its own unique category. So if there is an exploit in a virtual machine, your hosting system is protected because your virtual machine is isolated by SC Linux. And even more, your other virtual machines are also protected because they are also isolated. So it's called a sweat. OK. What next? SC Linux keeps your container in its own space. Containers are everywhere. Maybe you know containers don't contain. Correct. Thank you. So what SC Linux does with containers? No magic. It's the same as we have with a sweat. We can have thousands of containers, thousands and thousands of containers. And each container is isolated in the same way as a sweat. So each container has its own unique category. That's the whole story. It's the same as we have for virtual machines. Still the same. Yeah. Thank you. No. Yeah. Easy answer. I'm talking about isolation outside containers. Yeah. So yeah. It's a future now. No. No. Look at this guy. No. Yeah. We were talking about that on the party and even a lot of beers. No. No. There is no chance inside containers. So OK. So I've been talking about a thousand containers. So SC Linux brings advanced security for multi-tenant environments. What is specific for these environments? We can have thousands and thousands processes. And we want to isolate them from each other to prevent consequences of possible exploits. So give me some example of multi-tenant environments. I will. OK. OpenShift. So in OpenShift, in older version of OpenShift, we have gears isolated in the same way as I described above for virtual machines for containers. In OpenShift version 3 containers are in the game. So right now, you know, we have isolated containers in OpenShift 3. OK. So stand up. Please, please, come on, please. Please, come on, please. It's morning, almost lunch. OK. Thank you. Thank you. And let's start. Security. Security. Vynce. Vynce. Vynce. Vynce. SC Linux. Vynce. Thank you. So what we are going, what is coming this year, what we are going to do for you this year. Excuse me. The biggest goal is we call it a new SC Linux on ATOMIC, SEATOMIC. What we would like to achieve? What we would like to address with SEATOMIC? We would like to have a support for factory reset. In the new SC Linux tooling, we have distribution defaults. It means we have defaults policy modules in warlike SC Linux directory. Also together with your customizations. What does it mean if we talk about factory reset? The idea is that a slash war is empty if there is a factory reset. So our customizations are gone. It's OK. But we also have distribution defaults in the directory. So it means our distribution defaults will and will lose. And we lose them currently. The idea is to split these distribution defaults and these customizations. So we can leave your customizations in warlike SC Linux and move distribution defaults to read only directory. So for example, user like SC Linux. And with that, the idea of factory reset on ATOMIC GOATS will work. We were talking about it with Colin. So some additional fixes will be needed on ATOMIC, but this idea. So what is the next goal? What is the second goal with SC ATOMIC? We would like to provide a policy reflecting ATOMIC host requirements. So from our point of view, from SC Linux point of view, ATOMIC hosts are about containers and are about services around containers. There is no need, really no need to have such a huge policy, which we currently have. It's targeted policy. I called it workstation policy. Some numbers. In this policy, we have thousands types for your services. We have over 100 rules for your services. So it's so huge. It's so complicated and really no need to have this policy on ATOMIC GOATS. So we would like to bring a new concept, a policy written from the scratch, totally from the scratch. New ideas. I called it lightweight policy. We would bring a big reduction of types from thousands to tens. We can start with five, ten process types. Ten process types against thousands. Do you see? It's really huge. It's the same for rules. We will bring a reduction of these rules from tens thousands to thousands, I would say, maybe hundreds, only two hundreds. Because containers. So we would also bring simplified and understandable policy for you. Really easy policy. And as a consequence of these changes, we would introduce significant speed-up, additional significant speed-up of tools that perform a Syllinux policy management. I think we could talk about almost 100% speed-up of these tools. So it would be really quick. It would be really fast. And it's coming. OK, the next goal, our next goal for reserve is Syllinux troubleshooting. OK, have you ever seen a picture like this? Put your hands up. Yeah, yeah, thank you. So sometimes if you are doing a Syllinux troubleshooting, SE Alert gives you multiple choices. And the question is how do you know what is the best solution? How do you know what you are supposed to do? Is the correct question? I think so. It is. So we would like to bring improvements and provide you easy, really easy solution. Easy, clever solution for you, for your policy issues. And even more, we would like to integrate this Syllinux troubleshooting with cockpit. Steph Walters, we are talking about it yesterday, so it's happening right now. It's coming really, really soon. OK, and the last goal in this presentation is Syllinux policy analysis tool. Excuse me, I mentioned it at the beginning. What is the story about this tool as a user or as a developer? I would like to have a human readable big picture of the policy on my system. I would like to see what, for example, Firefox plugins can do on my system from the policy perspective. So we would like to introduce a picture like this. I apologize, it's a preview of preview of preview. So we could see flows. We could see if Firefox plugins can access SC shadow file, for example. So we could see if we add some changes, if there is a change in the flow. If there is a security issue introduced by us or introduced by applications. So we will get a tool for Syllinux policy integrity testing. Do you like it? It's really nice. This guy is working on it, so keep going, good work. OK, so summary. Right now, you know, we reach 75% speed up of tools that performs Syllinux policy management. You know, we have an easy way how to shift on version of policy for your product, for your service. The next one. We know there is a new intermediate policy language called Syll. We know Syllinux helps mitigate consequences of exploits. We know new Syllinux for Atomic hosts, known as SE Atomic, is coming soon. Together with new troubleshooting and together with a new Syllinux analysis tool for Vizuli. Could you help me? Vizuli. Ah, thank you. OK, so it was summary. It's coming. So thank you and please contact me with questions and let's ask if you have questions. So the question is how we will provide additional security with SE Atomic, about which I was talking, for example, for Sulu. But the key point is on containers, on Atomic hosts, we care about containers. Of course, there will be probably a set of base services, as the system with its own policy. So there will be a policy for core services. OK, thank you. OK, next one. So if I understand correctly, you are asking about how a Syllinux will help with containers on the share volume. Just thinking, what was the question? How Syllinux will help with containers on shared volumes? So is there an open issue? Of course, if it is a shared volume, this volume is readable by another container, because it's a shared volume. So if there is a rule for it, we will close it. Yeah, but it's correct. So if the label is the same, which is for the shared volume, I guess. So if there is a rule allowing it, it will allow it. So let's talk about it after that. Thank you. Another question. Is there a remit? Paul is saying. Thanks Paul. Another question? Yeah, we will see. Yeah, it's a huge change. But good questions. But it's a no. There is a gift for you. OK, so we are out of time. Feel free to catch me if you have additional questions or other Syllinux guys. Thank you. Já mám nějaký spelling issue. A ti to uložím. Ale je možný topad nějak dodatěšně posládním komu. Já to uložím ti ušitě. A ti máš tedy. Jo, jo, jesný, jesný. Summary page? Yeah, which you have on the slide. Take a shot of it or can you publish it? It will be published. Yeah. It will be available. OK? Yeah, let's see.